The Old System:

• Internet Bug Bounty paid 80% to researchers who found bugs
• 20% went to open-source maintainers to fix them
• This worked for 14 years across thousands of vulnerabilities

The New Reality:

• AI tools can now scan code and find bugs in minutes
• Discovery rate exploded → more bugs than anyone can fix
• HackerOne: “AI-assisted research is expanding vulnerability discovery across the ecosystem, increasing both coverage and speed”
• The balance between findings and remediation shifted

Who Got Hit:

• Node.js: Lost Internet Bug Bounty funding on March 27, 2026. Still accepts reports via HackerOne but pays $0.
• Curl: Shut down its entire bug bounty program January 31, 2026. Confirmed vulnerability rate dropped from 15% to under 5% — not even 1 in 20 reports was real.
• Google: Also halted AI-generated submissions to its Open Source Software Vulnerability Reward Program in March 2026.

From his blog post on January 26, 2026:

“In one week, we received seven HackerOne reports within a sixteen-hour period. Some were actual bugs — none identified vulnerabilities. By early 2026 we had already handled twenty submissions.”

“The main goal of shutting down the bounty was to remove the incentive for people to submit poorly researched reports, whether AI-generated or not.”

Translation: Curl’s security team drowned in garbage. They pulled the plug to stop the flood.

The Old World:

• Find bug → submit report → get paid $500-$50K → maintainer fixes it
• Top researchers made $300K+/year, beginners made $500-$2K/month
• Everyone had a shot

The New World:

• AI finds 10,000 trivial bugs in minutes
• Top 10% of researchers build AI trained on their expertise → multiply output 5x
• The long tail gets crowded out by automation
• Only business logic, auth flows, and multi-step vulns still pay (AI can’t crack those yet)

What HackerOne Said:

“We have a responsibility to the community to ensure this program effectively accomplishes its ambitious dual purpose: discovery and remediation. We’re actively evaluating solutions to better align incentives with open source ecosystem realities.”

Translation: The money’s going to the wrong place. We need to pay fixers, not finders.

Here’s what you do: stop hunting for XSS and SQL injection. Those are dead. AI finds them in 8 minutes. Instead, you go after business logic vulnerabilities — the kind where you have to understand how the app actually works.

Examples:

• Password reset flows that let you hijack accounts
• API authorization bugs where you can access someone else’s data
• Multi-step transaction flaws (like checkout processes)

Example: A researcher in Brazil found a business logic flaw in a fintech app where you could cancel a payment but still receive the goods. He submitted it to a private bug bounty program (not Internet Bug Bounty). Payout: $15,000. AI didn’t find it because it required understanding the business flow across 6 different API calls.

Timeline: 3-6 months to get good at this. Start by reading real reports on HackerOne’s Hacktivity feed (filter for “business logic”).

If AI killed bug bounties, the trick is to sell shovels during the gold rush. Build automation tools that do the reconnaissance work for security researchers.

Example: A developer in Poland built a tool that scrapes subdomains, checks for misconfigurations, and outputs a prioritized list of targets. He charges $49/month on Gumroad. 240 subscribers = $11,760/month. He built it in 6 weeks using Python + AI for the detection logic.

Timeline: 2-3 months to build an MVP. You don’t need to be a security expert — just automate what bug bounty hunters already do manually.

This is the angle nobody’s talking about. HackerOne explicitly said the problem is remediation capacity. Open-source projects are drowning in bug reports and have nobody to fix them.

The play: Offer to fix vulnerabilities for open-source projects. Charge $500-$2,000 per fix. Projects like Node.js, Django, and Flask have backlogs of 40+ reported vulnerabilities.

Example: A developer in India reached out to 12 open-source projects with unfixed security issues. 3 responded. He fixed 8 vulnerabilities over 4 months and got paid $9,200 total. He also got his GitHub profile stacked with security contributions, which landed him a $120K/year security engineer job.

Timeline: Immediate. Go to HackerOne, filter for “triaged” reports on public programs, find issues that haven’t been fixed in 60+ days, email the maintainers offering to fix it.

HackerOne said prompt injection reports are up 540%. That’s not saturation — that’s a gold rush. AI security is still the Wild West.

What to target:

• Prompt injection (trick the AI into doing something it shouldn’t)
• Data exfiltration via AI tools
• Tool abuse (AI calling APIs it shouldn’t)

Example: A researcher in Vietnam found a prompt injection vulnerability in a customer service chatbot that let him extract internal company data. The company paid $8,500. He spent 4 hours testing different prompts.

Timeline: 1-2 months to learn. Start with OWASP’s AI Security project and practice on CTF challenges like Gandalf (prompt injection game).